Richard Bejtlich's blog on digital security, strategic thought, and military history.

Sunday, August 17, 2008

Thoughts on OMFW and DFRWS 2008

Last week I was very happy to attend the 2008 Open Memory Forensics Workshop (OMFW) and the Digital Forensic Research Workshop. Aaron Walters of Volatile Systems organized the OMFW, which consisted of about 40 attendees and a mix of panels and talks in 10 quick afternoon sessions. My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: "I know this is an easy question for all you 'beautiful minds,' but..."

Following the OMFW, I attended the first two days of DFRWS. I thought Secret Service Special Agent Ryan Moore started the conference well by describing his investigations of point-of-sale compromises (announced by the FBI as a retail hacking ring) (.pdf). This was probably the best .gov presentation I've seen in a while. I was impressed by the degree to which SA Moore used open source, because he wanted to show retailers they could vastly improve their security using low-cost methods.

The remainder of the DFRWS presentations were a mix of academic-style presentations, tool development updates, and reports on practical issues faced in the field. The academic presentations made an impression on me; I noticed that those sorts of talks are some of the closest we have to "computer science." For example, you develop a new algorithm or technique (perhaps to carve memory), and then test the method against a range of samples.

In other cases, researchers "simply" seek to understand how a system works. I say "simply," because you might think "Hey, it's a computer. It must be easy to figure out." Instead, researchers find that systems (OS, applications, whatever) don't do what their developers claim they do, or the internals are more complicated than at first glance, or any other number of permutations make the reality diverge sharply from the theory.

In terms of technical notes, OMFW and DFRWS contained many little tidbits. For example, I was reminded that one can alter the run-time configuration of any Windows system by writing directly to the registry in memory. Normally these changes are synced to disk every 5 seconds, but those can be avoided because direct memory access avoids the Windows APIs which would result in changes being saved. It was cool to hear about matching packets in memory with similar packets captured outside the system (via network sniffer) in order to improve attribution. (Those packets in memory can be associated with a user logged in at the time the memory was captured.)

Integrating evidence via framework tools is another theme. PyFlag looks great for this. I must congratulate the Volatility/PyFlag team for winning the 2008 DFRWS Challenge, a sort of CTF for defenders. (Notice this gets zero press. Defense is not glamourous.) Reading their team submission is a learning experience. Indeed, I was very impressed by the level of expertise applied to each challenge. I'd like to review the archives to see how previous events have been investigated.